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SINGLE SIGN-ON TO AN UNDERLYING OPERATING SYSTEM APPLICATION 

TECHNICAL FIELD 

The present invention relates to the field of data processing systems, and more particularly to a 
5 computer program product and method for bypassing the initial sign-on screen of an underlying operating 
system with single sign-on capability. 

BACKGROUND INFORMATION 

Computer users are demanding flexible and sophisticated techniques in hardware and software 
4f implementations. This flexibility and sophistication are readily evident in evolving systems which alleviate 
tPO requiring users to log on multiple times to a system. Typically a user identifies him/herself to the system by 
O providing his/her useriLD and password. User management services will check the profile of the specified 
ja user and verify that the password provided is that of the named user. If the password is correct for the 
^ user, the user is marked as logged on and may subsequently access authorized system obj ects. The user 
O may subsequently have to log on again perhaps with a different userlD and password to access an 
1=4=5 application, e.g., word processing program, electronic mail, etc., after the user has logged onto the system, 
g A recent study revealed that the average user of four applications spends approximately 44.4 hours per 
^ year just logging onto those applications. If the same user had a single sign-on capability, the time required 
to log onto the four applications would be reduced to approximately 1 7 hours per year. Single sign-on 
denotes the process by which the user presents a userlD and password only once to access multiple 
20 applications or systems. 

A system with single sign-on capability has been implemented by Hewlett Packard Company with 
the Windows operating system (Windows is a registered trademark of the Microsoft Corporation). The 
single sign-on is accomplished by taking advantage of what are known as "hooks" which enable calls to be 
made to call back functions when specified events occur such as the activation of a window. Such a hook 
25 enables a dynamic-link library (DLL) to automatically be inserted into an executing application program. 
A DLL file is one that contains one or more functions that are compiled, linked and stored separately from 
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application processes that use them. Upon a call being made to a DLL, the Windows Operating System 
maps the DLL data into the process's address space when the process is either starting or running. By 
storing the correct input sequence in the DLL for logging onto an application and associating that input 
sequence with the applications logon dialog box, the user is able to automatically be logged onto an 
application once the user has successfully logged onto the Windows Operating System. 

Unfortunately the user must log onto the underlying operating system, such as Windows 2000 or 
Windows NT, prior to accessing an application. It would therefore be desirable to bypass the initial 
sign-on screen of the underlying operating system so that the user signs on directly to the application 
environment while maintaining a single sign-on capability. It would further be desirable to change the level 
of access, i.e., change the assortment and/or number of applications the user has access to utilize, while 
maintaining a single sign-on capability. 
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SUMMARY 

The problems outlined above may at least in part be solved in some embodiments by providing an 
application framework which logs a user with a first level of access in the underlying operating system 
5 thereby bypassing the initial sign-on screen of the underlying operating system. The user will then enter 
a logon input, e.g. , userlD and password, on an application framework sign-on screen. Upon the user 
entering the logon input, the application framework compares the logon input with an application framework 
security database to determine the level of access. If the user is only entitled to the first level of access, then 
the user is restricted to a first level user. If the user is entitled to another level of access, then a switch user 
JO program may be executed to switch the level of access to a second level of access, e.g., change in the 
assortment and/or number of applications. 

fy In one embodiment, a method ofbypassing an initial sign-on screen of an underlying operating 

*J £ system with a single sign-on capability comprises the step of providing an application framework where the 
!1 5 application framework logs on a user with a first level of access in the underlying operating system thereby 
H bypassing the initial sign-on screen of the underlying operating system. The method further comprises 
gi entering a logon input, e.g., userlD and password, by the user on a generated application framework 

g sign-on screen. The method further comprises selecting an indication, e.g., icon, of the first level of access 
by the user. The method further comprises comparing the logon input with an application framework 
20 security database to determine the level of access. The user is then logged onto the underlying operating 
system and an application environment with a first level of access. If the logon input entered by the user 
corresponds to a user defined by the application framework security database as having one or more 
additional levels of access, then an indicator, e.g., icon, is generated which will allow the user to access a 
second level of access. Upon the selection of the indicator, a switch user program is executed to switch 
25 the user to the second level of access. If the logon input entered by the user is defined by the application 
framework security database as having access only to the first level of access, then the user is restricted 
to the first level of access. 
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In another embodiment of the present invention, a method ofbypassing an initial sign-on screen of 
an underlying operating system with a single sign-on capability comprises the step of providing an 
application framework where the application framework logs on a user with a first level of access in the 
underlying operating system thereby bypassing the initial sign-on screen of the underlying operating system. 
5 The method further comprises entering a logon input, e.g., userlD and password, by the user on a 
generated application framework sign-on screen. The method further comprises selecting an indication, 
e.g., icon, of a second level of access by the user. The method further comprises comparing the logon input 
with an application framework security database to determine the level of access. If the user is authorized 
to access one or more additional levels of access, a switch user program is executed to switch the user to 
1 0 the second level of access. If the user is only authorized to access the first level of access, the user is 
^ restricted to the first level of access. 

O The foregoing has outlined rather broadly the features and technical advantages of the present 

fTi invention in order that the detailed description of the invention that follows may be better understood. 
^ 5 Additional features and advantages of the invention will be described hereinafter which form the subject 
O of the claims of the invention. 



20 
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BRIEF DESCRIPTION OF THE DRAWINGS 

A better understanding of the present invention can be obtained when the following detailed 
description is considered in conjunction with the following drawings, in which: 

Figure 1 illustrates a data processing system configured in accordance with the present invention; 

Figure 2 is a flowchart depicting a method for bypassing the initial sign-on screen of an underlying 
operating system and comparing a logon input with a database to determine a user's level of access with 
single sign-on capability; 

Figure 3 is a flowchart depicting a method for bypassing the initial sign-on screen of an underlying 
operating system and executing a switch user program to switch the level of access after a user initially 
selects a first level of access with single sign-on capability; and 

Figure 4 is a flowchart depicting a method for bypassing the initial sign-on screen of an underlying 
operating system and executing a switch user program to switch the level of access after a user initially 
selects a second level of access with single sign-on capability. 
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DETAILED DESCRIPTION 

The present invention comprises a method and computer program product for bypassing an initial 
sign-on screen of an underlying operating system, e.g., Windows 2000, Windows NT, with a single sign-on 
5 capability. In one embodiment of the present invention a method comprises the steps of providing an 
application framework where the application framework logs on a user with a first level of access in the 
underlying operating system. The method further comprises generating an application framework sign-on 
screen where the user may enter a logon input such as a user name and password. The method further 
comprises comparing the logon input with an application framework security database to determine the 
J. 0 level of access. If the user is authorized to switch the level of access, a switch user program is executed 
O to switch the user to a second level of access. If the user is not authorized to switch the level of access, 
jp then the user is restricted to the first level of access. In another embodiment of the present invention, the 
S user selects an icon to maintain the first level of access upon entering the logon input. In another 
^ embodiment of the present invention, the user selects an icon to change the level of access upon entering 

* 1 5 the logon input. 

m Figure 1 - Computer System 

Figure 1 illustrates a typical hardware configuration of data processing system 13 which is 
20 representative ofa hardware environment for practicing the present invention. Data processing system 13 
has a central processing unit (CPU) 1 0, such as a conventional microprocessor, coupled to various other 
components by system bus 12. Read only memory (ROM) 1 6 is coupled to system bus 1 2 and includes 
abasic input/output system ("BIOS") that controls certain basic functions of data processing system 13. 
Random access memory (RAM) 14, I/O adapter 1 8, and communications adapter 34 are also coupled 
25 to system bus 12. I/O adapter 18 may be a small computer system interface ("SCSI") adapter that 
communicates with disk units 20 and tape drives 40. Communications adapter 34 interconnects bus 1 2 
with an outside network enabling data processing system 1 3 to communication with other such systems. 
Input/ Output devices are also connected to system bus 1 2 via a user interface adapter 22 and a display 
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adapter 36. A display monitor 38 is connected to system bus 12 by display adapter 36. In this manner, 
a user is capable of inputting to system 1 3 through a keyboard 24 or a mouse 26 and receiving output from 
system 13 via display 38. 

5 Preferred implementations of the invention include implementations as a computer system 

programmed to execute the method or methods described herein, and as a computer program product. 
According to the computer system implementations, sets of instructions for executing the method or 
methods are resident in the random access memory 14 of one or more computer systems configured 
generally as described above. Until required by the computer system, the set of instructions may be stored 
10 as a computer program product in another computer memory, for example, in disk drive 20 (which may 
include a removable memory such as an optical disk or floppy disk for eventual use in disk drive 20). 
^ Furthermore, the computer program product can also be stored at another computer and transmitted when 
45 desired to the user's work station by a network or by an external network such as the Internet. One skilled 
ffi in the art would appreciate that the physical storage of the sets of instructions physically changes the 
%5 medium upon which it is stored so that the medium carries computer readable information. The change may 
L, be electrical, magnetic, chemical or some other physical change. 

qi Figure 2 - Flowchart of aMethod of Bypassing the Initial Sign-On Screen of an Underlying Operating 
S System with Single Sign-On Capability 

20 

Figure 2 illustrates a flowchart of one embodiment of the present invention of a method 200 for 
bypassing the initial sign-on screen of an underlying operating system, e.g., Windows 2000, Windows NT, 
with single sign-on capability. Data processing system 13 typically includes an operating system within a 
kernal having a plurality of operating system functions. In step 2 1 0, an application framework logs the user 
25 into the underlying operating system with a first level of access thereby bypassing the initial sign-on screen 
of the underlying operating system. An application framework resides in memory of data processing system 
1 3 which controls the environment, e.g., icons, etc., the user sees. That is, the application framework 
controls what applications are accessible to the particular user. Level of access refers to the assortment 
and/ or number of applications the user has access to utilize. The first level of access may be the lowest 
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level in terms of the assortment and/or number of applications a user of that access has to utilize. For 
example, the underlying operating system, e.g., Windows NT, may have two levels of access, e.g., one 
level of access for a restricted user and another level of access for an administration user. The restricted 
user may have the lowest level of access and the administration user may have the highest level of access. 
It is noted that the application framework and the underlying operating system may assign any number of 
levels of access for any number of users. 

An application framework may log the user into the underlying operating system, e.g.,Windows NT, 
with a first level of access, e.g., restricted user, thereby bypassing the initial sign-on screen of the underlying 
operating system in step 2 1 0 by modifying the underlying system's registry. The registry is a database in 
which configuration information is registered for the underlying operating system. The following routine 
illustrates one embodiment of modifying the underlying system's registry. 

long setAutoLogonld ( char * userlD, char * password ) 

{ 

*********************************************************************** 

// Query registry entries to retrieve parameters. 
II ************************************ 

char s zKey [ MAX__PATH_LENGTH+ 1 ] ; 
sfRegistryEntry registryEntry; 
long rc = 0; 

// Key: "Sof tware\\Microsof t\\Windows NT\\CurrentVersion\\Winlogon" 
strcpy (szKey, "Sof tware\\Microsof t\\Windows 
NT\\CurrentVersion\\Winlogon" ) ; 

// Open key 

if (registryEntry .Open (szKey) ) 
{ 

II ***************************************************************** 
// set AutoAdminLogon in registry. Type must be REG_SZ. 



RPS9-2000-0052US1 PATENT 

If ***************************************************************** 

if ( registryEntry . SetValue ( "AutoAdmin Logon" , 

"1", REG_SZ) == ERROR_SUCCESS) 

{ 

5 printf ( "AutoAdminLogon set ON \n"); 

} 

else 
{ 

rc = GetLastError () ; 
10 printf ( "Error : AutoAdminLogon setvalue rc = %d\n",rc); 

} 

If ********************** 

O // set Def aultUserName in registry. Type must be REG_SZ. 

5 / / **************************************************^ 

if (registryEntry . SetValue ( "Def aultUserName" , 
y userlD, REG_SZ) == ERROR_SUCCESS) 

hj { 

\D printf ( "Def aultUserName set to %s \n", userlD) ; 

120 } 

ffl else 

S { 

rj rc = GetLastError () ; 

l=J printf ( "Error : Def aultUserName setvalue rc = %d\n",rc); 

25 } 

II ***************************************************************** 

// set Def aultPassword in registry. Type must be REG_SZ. 

II ***************************************************************** 

30 if (registryEntry. SetValue ( "Def aultPassword" , 

password, REG_SZ) == ERROR_SUCCESS ) 

{ 

printf ( "Def aultPassword set \n"); 

} 

35 else 
{ 
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rc = GetLastError ( ) ; 

printf ("Error : Def aultPassword setvalue rc = %d\n",rc); 

} 

registryEntry. Close ( ) ; 

} 

return rc; 

} 

Once the application framework logs the user into the underlying operating system, an application 
framework sign-on screen is generated in step 220. In step 230, the user enters a logon input, e.g., a 
userlD and password, on the generated application framework sign-on screen. In step 240, the application 
framework compares the userlD and password entered by the user with a database commonly referred 
to as an application framework security database to determine the level of access of the user. The 
application framework security database stores system operator information such as defining the users, 
passwords, groups of users and application specific authorization. 

A determination is made by the application framework in step 250 as to whether the user is 
authorized to access one or more additional levels of access from the comparison of the logon input entered 
by the user in step 230 and the application framework security database. If the logon input entered by the 
user in step 230 corresponds to a user defined by the application framework security database as only 
having access to the first level of access, then the user is restricted to a first level of access in step 260. 
However, if the logon input entered by the user in step 23 0 corresponds to a user defined by the application 
framework security database as having one or more additional levels of access, then a switch user program 
is executed in step 270. The switch user program may reside in various memory locations in data 
processing system 1 3 such as a subdirectory on any disk 20. The switch user program switches the user 
to another level of access by modifying the underlying operating system's registry. The registry is a 
database in which configuration information is registered for the underlying operating system. Once the 
registry is modified to log on the user with a different level of access, the switch user program logs off the 
user and the underlying operating system logs on the user with the new level of access. 
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Figure 3 - Flowchart of a Method Implementing Switch User Program After User Initially Selects a First 
Level of Access 



Figure 3 illustrates a method 300 according to an embodiment of the present invention. Figure 3 
is a method 3 00 ofbypassing the initial sign-on screen for the underlying operating system and executing 
a switch user program to switch the level of access of the user after the user initially selects a first level of 
access with single sign-on capability. In step 305, the application framework logs the user into the 
underlying operating system with a first level of access, e.g. , restricted user, thereby bypassing the initial 
sign-on screen of the underlying operating system. The application framework may bypass the initial 
sign-on screen of the underlying operating system by modifying the underlying system's registry. The 
registry is a database in which configuration information is registered for the underlying operating system. 
An embodiment of a routine for modifying the underlying system's registry is disclosed in the detailed 
description of Figure 2. In step 3 1 0, an application framework sign-on screen is generated. In step 315, 
the user enters a logon input, e.g., a userK) and password, on the generated application framework sign-on 
screen. 

In step 320, the user may select an indicator, e.g. , icon, to maintain a first level of access, such as 
by clicking on a button, that appears on the application framework sign-on screen. As stated above, the 
first level of access may be the lowest level of access in terms of the assortment and/or number of 
applications a user of that access has to utilize. In step 325 , the application framework compares the logon 
information the user entered in step 315, such as a userlD and password, with an application framework 
security database to determine if the user is authorized to switch level of access. As stated above, the 
application framework security database stores system operator information such as defining the users, 
passwords, groups of users and application specific authorization. 

The user is then logged onto an application environment, e.g., retail application environment, as a 
first level user in step 330. Once logged onto the application environment, an application framework 
desktop appears. The application framework desktop refers to the screen the user sees with the icons of 
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various applications the user may utilize. The application framework desktop initially shown would be for 
a user with a first level of access as the user selected the indicator of the first level of access in step 320. 
Therefore, the user is logged onto both the underlying operating system and the application environment 
with a first level of access thereby bypassing the initial sign-on screen of the underlying operating system 
with single sign-on capability. 

A determination is made by the application framework in step 335 as to whether the user is 
authorized to access one or more additional levels of access from the comparison of the logon input 
entered by the user in step 315 and the application framework security database. If the logon input 
entered by the user in step 315 corresponds to a user defined by the application framework security 
database as only having access to the first level of access, then the user is restricted to the first level of 
access in step 340. However, if the logon input entered by the user in step 315 corresponds to a user 
defined by the application framework security database as having one or more additional levels of access, 
then an indicator such as an icon is generated on the application framework desktop which will allow the 
user to access the one or more additional levels of access the user is authorized to access in step 345 . 

In step 350, the user may select the indicator to access another level of access, e.g., clicking on 
an icon, which executes a switch user program. The switch user program may reside in various memory 
locations in data processing system 1 3 such as a subdirectory on any disk 20. The switch user program 
switches the user to another level of access by modifying the underlying operating system's registry. The 
registry is a database in which configuration information is registered for the underlying operating system. 
Once the registry is modified to log on the user with a different level of access, the switch user program logs 
off the user and the underlying operating system logs on the user with the new level of access. 



-12- 



RPS9-2000-0052US1 



PATENT 



Figure 4 - Flowchart of a Method Implementing Switch User Program After User Initially Selects a Second 
Level of Access 

Figure 4 illustrates a method 400 according to an embodiment of the present invention. Figure 4 
is a method 400 ofbypassing the initial sign-on screen for the underlying operating system and executing 
a switch user program to switch the level of access of the user after the user initially selects a second level 
of access with single sign-on capability. In step 405 , the application framework logs the user into the 
underlying operating system with a first level of access, e.g., restricted user, thereby bypassing the initial 
sign-on screen of the underlying operating system. The application framework may bypass the initial 
sign-on screen of the underlying operating system by modifying the underlying system's registry. The 
registry is a database in which configuration information is registered for the underlying operating system. 
An embodiment of a routine for modifying the underlying system's registry is disclosed in the detailed 
description of Figure 2. In step 41 0, an application framework sign-on screen is generated. In step 415, 
the user enters a logon input, e.g., a userBD and password, on the generated application framework sign-on 
screen. 

In step 420, the user may select an indicator, e.g., icon, to change the level of access to a second 
level of access, such as by clicking on a button, that appears on the application framework sign-on screen. 
The second level of access, e.g., administrative user, may be a level of access with an additional assortment 
and/or number of applications versus a first level of access, e.g., restricted user. 

In step 425, the application framework compares the logon information the user entered in step 
415, such as a userlD and password, with an application framework security database to determine if the 
user is authorized to switch level of access. As stated above, the application framework security database 
stores system operator information such as defining the users, passwords, groups of users and application 
specific authorization. 
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A determination is made by the application framework in step 430 as to whether the user is 
authorized to access one or more additional levels of access from the comparison of the logon input entered 
by the user in step 4 1 5 and the application framework security database. If the logon input entered by the 
user in step 415 corresponds to a user defined by the application framework security database as only 
having access to the first level of access, then the user is logged onto an application environment, e.g., retail 
application environment, as a first level user in step 43 5 . Once logged onto the application environment, 
an application framework desktop appears. As stated above, the application framework desktop refers 
to the screen the user sees with the icons of various applications the user may utilize. The application 
framework desktop shown would be for a user with a first level of access. 

However, if the logon input entered by the user in step 4 1 5 corresponds to a user defined by the 
application framework security database as having one or more additional levels of access, then the switch 
user program is executed in step 440. As stated above, the switch user program may reside in various 
memory locations in data processing system 1 3 such as a subdirectory on any disk 20. After the switch 
user program is executed, the switch user program transfers logon input, such as a userH) and password, 
to the underlying operating system for verification in step 445. In step 450, the underlying operating system 
determines whether the user has another level of access. In one embodiment, the underlying operating 
system may compare the logon input with an underlying operating system security database. The underlying 
operating system security database may be similar to the application framework security database. 

If the user is entitled to access another level of access, e.g., administrative access, then the user 
level of access is changed to another level of access in step 455. The user ! s level of access is changed by 
the switch user program modifying the underlying operating system's registry. The registry is a database 
in which configuration information is registered for the underlying operating system. Once the registry is 
modified to log on the user with a different level of access, the switch user program logs off the user and 
the underlying operating system logs on the user with the new level of access. 
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If the underlying operating system in step 450 determines that the user is not entitled to another level 
of access, then the underlying operating system may prompt the user for logon identification, e.g. , a userED 
and password in step 460. The underlying operating system makes another determination in step 465 as 
to whether the user has access to another level of access. In an embodiment of the present invention, the 
underlying operating system may determine whether the user has access to another level of access by 
comparing the logon identification with a database. If the user is entitled to access another level of access, 
e.g., administrative access, then the user level of access is changed in step 45 5 . The user's level of access 
is changed by the switch user program modifying the underlying operating system's registry. The registry 
is a database in which configuration information is registered for the underlying operating system. Once the 
registry is modified to log on the user with a different level of access, the switch user program logs off the 
user and the underlying operating system logs on the user with the new level of access. 

If the underlying operating system in step 465 determines that the user is not entitled to another level 
of access, then the user is restricted to the first level of access, e.g., restricted user, in step 470. 

Although the method and computer program product of the present invention is described in 
connection with several embodiments, it is not intended to be limited to the specific forms set forth herein, 
but on the contrary, it is intended to cover such alternatives, modifications, and equivalents, as can be 
reasonably included within the spirit and scope of the invention as defined by the appended claims. It is 
noted that the headings are used only for organizational purposes and not meant to limit the scope of the 
description or claims. 



-15- 



RPS9-2000-0052US1 



PATENT 



CLAIMS: 



1 1 . A method of bypassing an initial sign-on screen of an underlying operating system with a single 

2 sign-on capability comprising the steps of: 

3 providing an application framework, wherein said application framework logs on auser with a first 

4 level of access in said underlying operating system; 

5 generating an application framework sign-on screen; 

6 entering a logon input on said generated application framework sign-on screen; and 

7 comparing said logon input with an application framework security database to determine level of 
^8 access. 

JSl 2. The method as recited in claim 1 further comprising the step of: 
5*2 selecting an indication of said first level of access. 

^1 3. The method as recited in claim l,whereinsaiduserisloggedontosaidunderlyingoperatingsystem 

032 and an application environment with said first level of access thereby bypassing said initial sign-on screen 

fr0 of said underlying operating system with said single sign-on. 

1 4. The method as recited in claim 1 , wherein if said logon input is not entitled to a second level of 

2 access according to said application framework security database, then said user is logged onto an 

3 application environment and said underlying operating system as said first level of access. 

1 5 . The method as recited in claim 1 , wherein if said logon input is entitled to a second level of access 

2 according to said application framework security database, then the method further comprises the step of: 

3 executing a switch user program to switch said user to said second level of access. 
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1 6. The method as recited in claim 5, wherein said switch user program switches said user to said 

2 second level of access by modifying an underlying operating system's registry. 

1 7 . The method as recited in claim 6, wherein said switch user program logs off said user with said first 

2 level of access, wherein said underlying operating system logs on said user with said second level of access. 

1 8 . The method as recited in claim 1 , wherein said logon input comprises a user identification and a user 

2 password. 

1 9 . The method as recited in claim 2, wherein if said logon input is entitled to a second level of access 

^2 according to said application framework security database, then the method further comprises the step of: 
Sf3 generating an indication of said second level of access. 

pi 1 10. The method as recited in claim 2, wherein if said logon input is not entitled to a second level of 

fp s 2 access according to said application framework security database, then an indication of said second level 

™ 3 of access will not be generated to said user, wherein said user is restricted to said first level of access. 

ml 11. The method as recited in claim 9 further comprising the step of: 

S2 executing a switch user program to switch level of access to said second level of access by selecting 

3 said indication of said second level of access. 

1 12. The method as recited in claim 1 1 , wherein said switch user program switches said user to said 

2 second level of access by modifying an underlying operating system's registry. 

1 13. The method as recited in claim 1 2 , wherein said switch user program logs off said user with said 

2 first level of access, wherein said underlying operating system logs on said user with said second level of 

3 access. 
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1 14. The method as recited in claim 1 , wherein said application framework security database stores 

2 system operator information, wherein said application framework security database defines at least one of 

3 the following: users, passwords, groups of users and application specific authorization. 

1 15. The method as recited in claim 1 further comprising the step of: 

2 selecting an indication of a second level of access. 

1 16. The method as recited in claim 1 5, wherein if said logon input is not entitled to said second level 

2 of access according to said application framework security database, then said user is restricted to said first 

3 level of access. 

1 17. The method as recited in claim 1 5 , wherein if said logon input is entitled to said second level of 

*p2 access according to said application framework security database, then the method further comprises the 

0j3 step of 

executing a switch user program to switch said user to said second level of access. 

Gil 18. The method as recited in claim 17 further comprising the step of: 

fp2 transferring said logon input to said underlying operating system for verification. 

1 19. The method as recited in claim 18 further comprising the step of: 

2 comparing said logon input with an underlying operating system security database, wherein if said 

3 underlying operating system security database verifies said user with access to said second level of access, 

4 then said switch user program switches said user to said second level of access. 

1 20. The method as recited in claim 1 9, wherein said switch user program switches said user to said 

2 second level of access by modifying an underlying operating system's registry. 
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1 21. The method as recited in claim 20, wherein said switch user program logs off said user with said 

2 first level of access, wherein said underlying operating system logs on said user with said second level of 

3 access. 

1 22. The method as recited in claim 1 8 further comprising the step of: 

2 comparing said logon input with an underlying operating system security database, wherein if said 

3 underlying operating system security database does not verify said user with access to said second level 

4 of access, then the method further comprises the step of: 

5 requesting from said user a logon identification; and 

6 comparing said logon identification with said underlying operating system security database. 

yy 1 23 . The method as recited in claim 22, wherein said logon identification comprises a user identification 

£2 and a user password. 

1 24. The method as recited in claim 22, wherein if said underlying operating system security database 

2 verifies said user with access to said second level of access, then said switch user program switches said 
033 user to said second level of access. 

Jr: 1 25 . The method as recited in claim 24, wherein said switch user program switches said user to said 

2 second level of access by modifying an underlying operating system's registry. 

1 26. The method as recited in claim 25, wherein said switch user program logs off said user with said 

2 first level of access, wherein said underlying operating system logs on said user with said second level of 

3 access. 

1 27 . The method as recited in claim 22, wherein if said underlying operating system security database 

2 does not verify said user with access to said second level of access, then said user is restricted to said first 

3 level of access. 
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1 28. A computer program product having a computer readable medium having computerprogram logic 

2 recorded thereon for bypassing an initial sign-on screen of an underlying operating system with a single sign 

3 capability, comprising: 

4 programming operable for providing an application framework, wherein said application framework 

5 logs on a user with a first level of access in said underlying operating system; 

6 programming operable for generating an application framework sign-on screen; 

7 programming operable for receiving a logon input entered on said generated application framework 

8 sign-on screen; and 

^9 programming operable for comparing said logon input with an application framework security 

JPO database to determine level of access. 

JJJl 29. The computer program product as recited in claim 28 further comprises: 
*Jf2 programming operable for selecting an indication of said first level of access. 

ml 30. The computer program product as recited in claim 28, wherein said user is logged onto said 

£f|2 underlying operating system and an application environment with said first level of access thereby bypassing 

23 said initial sign-on screen of said underlying operating system with said single sign-on. 

1 31. The computerprogram product as recited in claim 28, wherein if said logon input is not entitled to 

2 a second level of access according to said application framework security database, then said user is 

3 restricted to said first level of access. 

1 32 . The computer program product as recited in claim 28, wherein if said logon input is entitled to a 

2 second level of access according to said application framework security database, then the computer 

3 program product further comprises: 
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programming operable for executing a switch user program to switch said user to said second level 
of access. 



1 33. The computer program product as recited in claim 32, wherein said switch user program switches 

2 said user to said second level of access by modifying an underlying operating system's registry. 

1 34. The computer program product as recited in claim 33, wherein said switch user program logs off 

2 said user with said first level of access, wherein said underlying operating system logs on said user with said 

3 second level of access. 

™J 3 5 . The computer program product as recited in claim 28, wherein said logon input comprises a user 

C2 identification and a user password. 

1 36. The computer program product as recited in claim 29, wherein if said logon input is entitled to a 
^2 second level of access according to said application framework security database, then the computer 

3 program product further comprises: 
034 programming operable for generating an indication of said second level of access. 

~ 1 37. The computer program product as recited in claim 29, wherein if said logon input is not entitled to 

2 a second level of access according to said application framework security database, then an indication of 

3 said second level of access will not be generated to said user, wherein said user is restricted to said first 

4 level of access. 

1 38. The computer program product as recited in claim 36 further comprises: 

2 programming operable for executing a switch user program to switch level of access to said second 

3 level of access by selecting said indication of said second level of access. 
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39. The computer program product as recited in claim 38, wherein said switch user program switches 
said user to said second level of access by modifying an underlying operating system's registry. 



1 40 . The computer program product as recited in claim 3 9, wherein said switch user program logs off 

2 said user with said first level of access, wherein said underlying operating system logs on said user with said 

3 second level of access. 

1 41. The computer program product as recited in claim 28, wherein said application framework security 

2 database stores system operator information, wherein said application framework security database defines 

3 at least one of the following: users, passwords, groups of users and application specific authorization. 

J31 42. The computer program product as recited in claim 28 further comprises: 

jg2 programming operable for selecting an indication of a second level of access. 

y f\ 43 . The computer program product as recited in claim 42, wherein if said logon input is not entitled to 

s 2 said second level of access according to said application framework security database, then said user is 

fl|3 restricted to said first level of access. 

if 1 44 . The computer program product as recited in claim 42, wherein if said logon input is entitled to said 

2 second level of access according to said application framework security database, then the computer 

3 program product further comprises: 

4 programming operable for executing a switch user program to switch said user to said second level 

5 of access. 

1 45. The computer program product as recited in claim 44 further comprises: 

2 programming operable for transferring said logon input to said underlying operating system for 

3 verification. 
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1 46. The computer program product as recited in claim 45 further comprises: 

2 programming operable for comparing said logon input with an underlying operating system security 

3 database, wherein if said underlying operating system security database verifies said user with access to 

4 said second level of access, then said switch user program switches said user to said second level of 

5 access. 

1 47 . The computer program product as recited in claim 46, wherein said switch user program switches 

2 said user to said second level of access by modifying an underlying operating system's registry. 

1 48. The computer program product as recited in claim 47, wherein said switch user program logs off 

^2 said user with said first level of access, wherein said underlying operating system logs on said user with said 

yQ3 second level of access. 

^1 49. The computer program product as recited in claim 45 further comprises: 

4f 2 programming operable for comparing said logon input with an underlying operating system security 

3 database, wherein if said underlying operating system security database does not verify said user with 
£34 access to said second level of access, then the computer program product further comprises: 

fr|5 programming operable for requesting from said user a logon identification; and 

zf 6 programming operable for comparing said logon identification with said underlying operating system 

7 security database. 

1 50. The computer program product as recited in claim 49, wherein said logon identification comprises 

2 a user identification and a user password. 

1 51. The computer program product as recited in claim 49, wherein if said underlying operating system 

2 security database verifies said user with access to said second level of access, then said switch user 

3 program switches said user to said second level of access. 
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52. The computer program product as recited in claim 5 1 , wherein said switch user program switches 
said user to said second level of access by modifying an underlying operating system's registry. 



1 53. The computer program product as recited in claim 52, wherein said switch user program logs off 

2 said user with said first level of access, wherein said underlying operating system logs on said user with said 

3 second level of access. 

1 54. The computer program product as recited in claim 49, wherein if said underlying operating system 

2 security database does not verify said user with access to said second level of access, then said user is 

3 restricted to said first level of access. 
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1 55. A data processing system, comprising: 

2 a processor; 

3 amemory unit operable for storing acomputerprogram operable for bypassing an initial sign-on 

4 screen of an underlying operating system with a single sign capability; 

5 an input mechanism; 

6 an output mechanism; and 

7 a bus system coupling the processor to the memory unit, input mechanism, and output mechanism, 

8 wherein the computer program is operable for performing the following programming steps: 

_9 providing an application framework, wherein said application framework logs on a user 

ft) with a first level of access in said underlying operating system; 

apl generating an application framework sign-on screen; 

f|2 receiving a logon input entered on said generated application framework sign-on screen; 

S 3 and 

l\4 comparing said logon input with an application framework security database to determine 

CI5 level of access. 

Si 56. The data processing system as recited in claim 55, wherein the computer program is further 

2 operable to perform the programming step: 

3 selecting an indication of said first level of access. 

1 57. The data processing system as recited in claim 5 5 , wherein said user is logged onto said underlying 

2 operating system and an application environment with said first level of access thereby bypassing said initial 

3 sign-on screen of said underlying operating system with said single sign-on. 
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1 58. The data processing system as recited in claim 55, wherein if said logon input is not entitled to a 

2 second level of access according to said application framework security database, then said user is logged 

3 onto an application environment and said underlying operating system as said first level of access. 

1 59. The data processing system as recited in claim 55, wherein if said logon input is entitled to a second 

2 level of access according to said application framework security database, then the computer program is 

3 further operable to perform the programming step: 

4 executing a switch user program to switch said user to said second level of access. 

1 60. The data processing system as recited in claim 59, wherein said switch user program switches said 

_2 user to said second level of access by modifying an underlying operating system's registry. 

il 61. The data processing system as recited in claim 60, wherein said switch user program logs off said 

52 user with said first level of access, wherein said underlying operating system logs on said user with said 

~5f3 second level of access. 

SI 62. The data processing system as recited in claim 55, wherein said logon input comprises a user 

rp2 identification and a user password. 

1 63 . The dataprocessing system as recited in claim 56, wherein if said logon input is entitled to a second 

2 level of access according to said application framework security database, then the computer program is 

3 further operable to perform the programming step: 

4 generating an indication of said second level of access. 

1 64. The dataprocessing system as recited in claim 56, wherein if said logon input is not entitled to a 

2 second level of access according to said application framework security database, then an indication of said 

3 second level of access will not be generated to said user, wherein said user is restricted to said first level 

4 of access. 
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1 65. The data processing system as recited in claim 63, wherein the computer program is further 

2 operable to perform the programming step: 

3 executing a switch user program to switch level of access to said second level of access by selecting 

4 said indication of said second level of access. 

1 66. The data processing system as recited in claim 65, wherein said switch user program switches said 

2 user to said second level of access by modifying an underlying operating system's registry. 

1 67. The data processing system as recited in claim 66, wherein said switch user program logs off said 

. J2 user with said first level of access, wherein said underlying operating system logs on said user with said 

43 second level of access. 

Si 68 . The data processing system as recited in claim 55 , wherein said application framework security 
database stores system operator information, wherein said application framework security database defines 

L3 at least one of the following: users, passwords, groups of users and application specific authorization. 

fpl 69. The data processing system as recited in claim 55, wherein the computer program is further 

22 operable to perform the programming step: 

3 selecting an indication of a second level of access. 

1 70. The dataprocessing system as recited in claim 69, wherein if said logon input is not entitled to said 

2 second level of access according to said application framework security database, then said user is 

3 restricted to said first level of access. 

1 71. The data processing system as recited in claim 69, wherein if said logon input is entitled to said 

2 second level of access according to said application framework security database, then the computer 

3 program is further operable to perform the programming step: 
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executing a switch user program to switch said user to said second level of access. 



1 72 . The data processing system as recited in claim 7 1 , wherein the computer program is further 

2 operable to perform the programming step: 

3 transferring said logon input to said underlying operating system for verification. 



1 73 . The data processing system as recited in claim 72, wherein the computer program is further 

2 operable to perform the programming step: 

3 comparing said logon input with an underlying operating system security database, wherein if said 

4 underlying operating system security database verifies said user with access to said second level of access, 
_5 then said switch user program switches said user to said second level of access. 

jpl 74. The data processing system as recited in claim 73, wherein said switch user program switches said 

S> user to said second level of access by modifying an underlying operating system's registry. 

s _ 1 75 . The data processing system as recited in claim 74, wherein said switch user program logs off said 

£02 user with said first level of access, wherein said underlying operating system logs on said user with said 

^3 second level of access. 

1 76. The data processing system as recited in claim 72, wherein the computer program is further 

2 operable to perform the programming step: 

3 comparing said logon input with an underlying operating system security database, wherein if said 

4 underlying operating system security database does not verify said user with access to said second level 

5 of access, then the computer program is further operable to perform the programming steps: 

6 requesting from said user a logon identification; and 

7 comparing said logon identification with said underlying operating system security database. 
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77 . The data processing system as recited in claim 76, wherein said logon identification comprises a 
user identification and a user password. 



1 78. The data processing system as recited in claim 76, wherein if said underlying operating system 

2 security database verifies said user with access to said second level of access, then said switch user 

3 program switches said user to said second level of access. 

1 79. The data processing system as recited in claim 78, wherein said switch user program switches said 

2 user to said second level of access by modifying an underlying operating system's registry. 

80. The data processing system as recited in claim 79, wherein said switch user program logs off said 

yQ2 user with said first level of access, wherein said underlying operating system logs on said user with said 

j3 second level of access. 

^1 81. The dataprocessing system as recited in claim 76, wherein if said underlying operating system 

s 2 security database does not verify said user with access to said second level of access, then said user is 

B3 restricted to said first level of access. 
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SINGLE SIGN-ON TO AN UNDERLYING OPERATING SYSTEM APPLICATION 

ABSTRACT OF THE INVENTION 



A method and computer program product for bypassing the initial sign-on of an underlying 
operating system with single sign-on capability. In one embodiment, a method comprises the step of 
providing an application framework which logs on a user with a first level of access in the underlying 
operating system thereby bypassing the initial sign-on screen of the underlying operating system . The 
method further comprises entering a logon input, e.g., userlD and password, on a generated application 
framework sign-on screen by the user. The method further comprises comparing the logon input with an 
application framework security database to determine the level of access. If the user is only entitled to the 
first level of access, then the user is restricted to a first level of access. If the user is entitled to another level 
of access, then a switch user program may be executed to switch the level of access to a second level of 
access, i.e. , change in the assortment and/or number of applications. In another embodiment, the user 
selects aniconto maintain a first level of access upon entering the logon input. In another embodiment, the 
user selects an icon to change the level of access upon entering the logon input. 
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PATENT APPLICATION 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name; 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint 
inventor (if plural names are listed below) of the subject matter which is claimed and for which a patent is 
sought on the invention entitled 

SINGLE SIGN-ON TO AN UNDERLYING OPERATING SYSTEM APPLICATION 

the specification of which: (check one) 
XXX is attached hereto. 



was filed on 

XXX under Attorney's Docket Number RPS9-2000-0052US1 

as Application Serial No. 

and was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to the patentability of this application in 
accordance with 37 CFR 1 .56. 

I hereby claim the benefit of foreign priority under 35 USC 1 19 of any foreign application® for patent or 
inventor's certificate listed below and have also identified below any foreign application for patent or inventor's 
certificate having a filing date before that of the application the priority of which is claimed: 

Prior Foreign Application®: Priority Claimed 

Yes No 

(Number) (Country) (Filing Date) 

I hereby claim the benefit of United States priority under 35 USC 120 of any United States application® 
listed below and, insofar as the subject matter of each of the claims of this application is not disclosed in a 
listed prior United States application in the manner provided by the first paragraph of 35 USC 112, I 
acknowledge the duty to disclose information material to the patentability of this application as defined in 
37 CFR 1.56 which occurred between the filing date of the prior application and the national or PCT 
international filing date of this application: 



(Application Serial #) (Filing Date) (Status) 

I hereby declare that all statements made herein of my own knowledge are true and that all statements made 
on information and belief are believed to be true; and further that these statements were made with the 
knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, 
under 1 8 USC 1 001 and that such willful false statements may jeopardize the validity of the application or 
any patent issued thereon. 
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